Community Area

Four Popular Anti Spam Filters for Exchange Reviewed

by
Synoradzki J., Wawrzyniak P., and Zmudzi
[Published on 5 May 2004 / Last Updated on 5 May 2004]

Your only true defense against spam mail using Microsoft Exchange is to install third-party solutions. With this article, we are going to compare and evaluate four products, each of them somewhat differentiated by its mode of operation and email filtering techniques.

SPAM Smacker 1.0

Spam Smacker 1.0 is a fairly simple but efficient solution. This tool, that supports Exchange 2000/2003, requires a reference database - either Access or MS SQL or any IIS Server to function as a Web console. Spam Smacker is compatible with Windows 2000 or 2003 servers.

Spam Smacker uses several different methods to identify incoming messages as spam:

keywords matching

blacklist checking

blocking by known spam hosts

checking mails for multiple domains

All spam recognizing rules are stored in the said database (MS Access or MS SQL) as parameters. They can be run concurrently with Active Directory to provide additional spam detection and filtering capabilities. A separate Organization Unit can be created within the Active Directory to place contacts to be blocked as spamming contacts. Spam Smacker uses a default database to store keywords – that, however, cannot be effective in coping with spammed email from certain locations – quick database updating is of valuable importance. Any message identified as spam is placed in the BadMail directory (which by default is created upon the installation of IIS). Anyway, any other directory can be used.

The SPAM Smacker web console serves as a management portal and, like a Microsoft Management Console for MS products. Here you can edit all keywords, view the statistics on delivered or blocked messages. Also, the management console can be used to alter the values of the SPAM Smacker’s registry. There are several options to choose.

Administration Console

Administration Console provides the ability to setup the database that stores the inbound email filtering information. The following values can be configured here:

sender/recipient keywords: to store keywords as selective criteria to block any messages containing any keyword in the FROM, TO, CC, and BCC fields.

subject filters: similarly as above – to filter incoming messages by subject i.e. by keyword that has been previously defined by the user.

body filters: Spam Smacker uses filters based on the contents of the message body to block unwanted information.

Filtering by keyword is a very useful option as entire phrases can be defined to filter emails accordingly. Keywords are to be separated by commas, for example, "earn, Web". By doing so, all messages containing the phrase "earn money on the Web" or "earn money browsing the Web" will be blocked. Spam Smacker is also able to screen HTML-coded messages, after converting them to plain text.

Spam Smacker also allows users to define groups of senders, email which will always be delivered by overriding the filtering – whatever will be the result of filtering. Also, entire domains can be added to the list of "allow always" domains (that is a very useful solution – you can include, for example, the domains of your suppliers, trading partners, customers etc. to ensure an efficient communication while partially blocking portions of email from other domains).

Statistics Console

The Statistics Console – provides the user with the spam related statistics on all incoming SMTP messages that are blocked or delivered, on the most heavily spammed user, on the top DNS names sending spam to your server etc. Therefore, the Statistics Console can be a useful tool when modifying the Spam Smacker configuration.

SPAM log Console

The SPAM log Console, as its name indicates, is merely a log viewer that provides information on blocked and delivered incoming messages. The administrator may also clear the SPAM logs in this module, and delete or force delivery of blocked messages.

Spam Smacker – A Summary

Summarizing the above: Spam Smacker is a good, efficient anti-spam product to help small to medium size companies. Handy and efficient. This is the only solution you will find like this. It's just a pity that it supports only two versions of MS Exchange Server, namely 2000 and 2003.

GFI MailEssentials for Exchange/SMTP

A multifunction software. Rather than filtering incoming email only, GFI ME can be far more anti-spam intensive and includes: mail reporting, disclaimers, inbound/outbound email archiving to database, auto replies, etc. Why is it worth mentioning in an article strictly on anti-spam filters? Because GFI ME features a very interesting filtering mechanism and hence it is easily scalable. Let’s take a preview look at some characteristic aspects.

GFI MailEssentials system requirements and installation

GFI ME can be installed in two ways:

on the mail server itself and it can run either in conjunction with MS Exchange 2000 or 2003 server.

on a separate server, and it can run with any POP3/SMTP, MS Exchange 4.5, 5.5, 2000, 2003, Lotus Notes 4.5 server.

How does it work?

GFI ME has a couple anti-spam filters. They are:

Whitelist/Blacklist

Bayesian analysis

Mail header analysis

Keyword checking

Whitelists/Blacklists

The functionality of these filters is simple: a whitelist is a list, which includes all addresses from which you always wish to receive mail. You can add email addresses or entire domains, or functional domains – for example education (*@*.edu). An interesting option is an automatic whitelist management tool that eliminates the need for administrators to manually input approved addresses on the whitelist and ensures that mail from particular senders or domains are never flagged as spam. The number of records can be configured. When an overflow occurs, obsolete records are overwritten.

A blacklist works similarly to competitive alternatives: this is a list of addresses from which you never want to receive mail.

GFI ME also supports third party Open Relay Databases of SMTP servers like ORDB.org. By accessing the ORDB.org, server (every four days), system administrators are allowed to download the list of "open relay" servers and automatically delete all email sent from servers on the ordb. list.

Fig 1: A specific Whitelist/Blacklist window

Bayesian analysis

The use of Bayesian filtering is what really sets GFI MailEssentials apart from the competition. With this adaptive technique, filters automatically "learn" a tailor-made history for each word (or token) specific to the company. Then, the idea is to make a statistical analysis of the probability of each word or token ($%&), based on how often that word/token occurs in spam as opposed to legitimate mail (ham).

Fig 2: A specific Bayesian analysis window

Let's get concrete. You have a spam corpus with 2000 mails, 700 of them containing the word „earn”, and a ham corpus with 400 mails, 5 of them containing the word „earn”.

Hence:

(700/2000)/(5/400+700/2000) = 0.96

After training the system accordingly, all messages containing the word „earn” will be rejected by the filter as spam, since the probability is very high (1 – spam, 0- legitimate mail).

The flexibility of this analysis is one of its advantages: should the frequency of occurrence of the specific change, the result will change, too. Of course, the entire operation is not reduced to the analysis of a single word only - MailEssentials uses its statistical intelligence to process the whole content of the mail for better efficiency. Yet another advantage is the ability to block foreign language spam. With GFI ME you can easily block spam written in Korean, Polish, etc.

Fig 3: Header checking properties in different languages

Mail header checking

This is a fairly known method. Mail header checking consists of a set of rules that, if a mail header matches, triggers the mail server to return messages that have blank "From" field, that lists a lot of addresses in the "To" from the same source, that have too many digits in email addresses (a fairly popular method of generating false addresses). It also enables you to return messages by matching the language code declared in the header.

Keyword checking.

Another method widely used in filtering spam. It works by scanning both email subject and body. Using "conditions" i.e. combinations of keywords is a good solution to enhance filtering efficiency. You can specify combinations of words that must appear in the email. For example a condition "earn & Web". All messages that include these words will be blocked.

What do I do with the spam mail?

Once GFI ME has categorized email as spam, a variety of actions can be triggered. You can specify that mail marked as spam should be either immediately deleted or forwarded to user's spam folder for further analysis. You can also send the spam mail to a specified email address (for example in the end-user inbox or a public folder) or move it to a specific directory on the disk. Another option available with GFI ME is the ability to tag a spam mail and send it to the user.

GFI MailEssentials. A summary.

The most important advantages of GFI ME are efficiency and elasticity. Its another great merit is Bayesian analysis, which allows the system to run quite elastically no matter where it’s located in geographical terms (as this method is not dependent on the language of communication). Moreover, GFI ME offers standard mail filtering methods, which are available in other products. That makes GFI’s solution a very attractive solution, much more functional than a typical anti-spam filter.

Fig 4: Example of the Daily Usage Statistics report

MailMarshal

MailMarshal is a complex tool servicing e-mail messages throughout a whole-corporation. Not only does it allow the blocking of spam efficienty, but it also grants control of unwanted attachments, viruses and allows correspondence filtering. MailMarshal is provided in two versions: MailMarshal for Exchange 2000 and MailMarshal SMTP. The former is MS Exchange 2000 exclusive and offers complete integration with MS Exchange 2000, whereas the latter was designed for various mail servers, e.g. Sendmail for Unix systems, Novell GroupWise, Lotus Domino, Linux and Microsoft Exchange (including the latest 2003 version).

Software requirements:

Microsoft SQL Server7.0/2000 for creating logs; it is possible to use MSDE, a free-to-download start-up version of SQL Server, in smaller networks.

TextCensor and SpamCensor

MailMarshal uses TextCensor and SpamCensor tools, which allow an approximately 90-95% efficient spam detection rate. TextCensor is responsible for detecting words and sentences, which are spam’s widespread traits. It offers an efficient searching mechanism and a possibility of performing a lexical analysis of scooped message fragments with the use of so-called scripts. It allows rejecting suspicious mail quickly, without mistakes (i.e. false positives). Speed is TextCensor’s essential feature as the software is much quicker than regular-expression filtering. In turn, SpamCensor is a heuristic filter whose mechanisms are based on:

An analysis of e-mail headers, including anomalies such as: lacking ‘To:’ or ‘From:’ positions, spaces in disallowed places or particular information on the tool which had been used for sending the mail,

An analysis of the message’s content and comparing it with a model database in search for phrases such as: $$$ or s c a t t e r e d text. The analysis covers plain text, HTML and URLs.

An analysis of the structure of the message – its size and arrangement are investigated.

A DNS analysis – addresses of spammers not included in blacklists are checked with the use of DNS lookup.

Combining these methods provides you with a general image of the parcel. The image is a basis for determining whether the parcel should be classified as ordinary mail or treated like spam.

Fig 5: Scheme of the processes by which MailMarshal detects spam

SpamCensor uses rules which are arranged in categories. The rules are defined with the use of XML scripts.

Fig 6:What an example rule looks like

At work, SpamCensor performs an analysis of messages employing pre-defined rules with accorded suitable point values. The points attributed to a message are added up during the check and if the sum exceeds a pre-defined level, the mail is classified as spam.

SpamCensor is also equipped with a whitelist mechanism which should prevent blockage of business correspondence which could be treated as spam due to its content. In turn, Copy-only and Trial tag period mechanisms allow rating the construction of the filtering rules in use and introducing them gradually, without causing any fuss in everyday mail circulation.

Dealing with spam-classified mail

MailMarshal is equipped with a tool which manipulates mail headers. It describes messages as spam and forwards them to receivers who shall decide what to do with them, e.g. with the use of their mail software’s filtering plug-ins. Unwanted messages may also be transferred to a special folder and quarantined. Moreover, a notification of a message blocking might be sent to an independent user. The notification may contain a specific marker which would allow receiving the blocked message after having answered the notification.

Fig 7: The notification pattern

It is of course possible to define a period after which the message is to be deleted automatically.

Advanced Configuration

Advanced users may configure the software more precisely and make it meet their individual expectations thanks to the fact that the XML language has been used in the software.

SpamCensor.xml with one of the elementary variables, i.e. Trigger Level, is the basic editable file. The variable value is 60 by default and it defines how many points a message may receive before it is regarded as spam. You should notice that attributing this variable a lower value would result in more false positive results.

Other .xml files are SpamFilter.xml and UserDefined.xml. The former is vital for SpamCensor to work. If the automatic update option is active, this is the file that changes every time the software is updated. UserDefined.xml may be used in order to activate numerous options, e.g. DNS Blacklists. Important as it is, it is possible to activate multiple lists.

The software includes a log option which is particularly useful when testing and configuring it. Information on the rules which were used in deciding whether a message was spam or not is available by dint of the log option, too.

You may implement your own scripts of message-filtering rules into the software. The fact that it is not only spam they are to block, allows network administrators to gain full control of message filtration, i.e. control of message content, with the use of their own filtration schemes.

Fig 10:Virus detection with the use of TextCensor

The possibility of implementing many scripts at a time is quite useful. Taking advantage of this merit, you may establish that 100-point messages should be quarantined and lower-rated ones should only be marked as spam.

The race between spammers and spamfighters in inventing spamming methods and anti-spam defences makes the activities of both groups very dynamic, however the spammers are always in a slight lead. That’s why an automatic update option is a really helpful feature of this software and makes it even more effective.

MailMarshal. A summary.

MailMarshal is a tool with great capacities for spam fighting, virus and Trojan horse protection and preventing the network from other email-propagated dangers. The program offers vast options of configuration which account for its dynamic characteristics. Controlling mail content and the automatic update option are undoubtedly quite advantageous. MailMarshal for Exchange only operates on MS Exchange 2000. In case you have other versions of MS Exchange, use MailMarshal SMTP.

Trend Micro ScanMail

Trend Micro ScanMail for Exchange is a composite solution to problems of protecting a corporation network from mail users’ abuses. It requires an MS Exchange version 5.5. to 2003 in order to operate. Anti-spam protection is effected with the use of an additional module called ScanMail eManager which only runs with ScanMail software installed on a MS Exchange 5.5. /2000 server. The module allows blocking unwanted messages and filteringtheir content so it is possible to cut off e-correspondence destined to market competitors, mail with offensive content or to erase marketing information from under the text.

The basic functions of Trend Micro ScanMail for Exchange include:

Real-time detection and deletion of viruses from email,

A scalable configuration and remote managing,

Managing the quarantine process for messages including viruses or spam,

Filtering content of mail with the use of eManager,

Making the process of administering the protection of mail automatic thanks to IntelliScan and Active Action mechanisms,

Active email filtration which allows to delete suspicious content on server level, before the message reaches the recipient,

Secure access to the administration console thanks to a web interface,

A possibility of scanning many mailboxes, public directories and Exchange Information Store bases and a highly flexible configuration of the scanning process (turning particular security levels for set locations on or off, i.e. turning off anti-virus protection of one mailbox only),

Automatic updates of virus patterns and mail filtering rules.

ScanMail eManager for Microsoft Exchange

ScanMail eManager runs with ScanMail for MS Exchange software. Its task is to protect the users of a corporation network from spam. Its activity is to stop the Exchange server processing those messages so that they won’t reach their recipients.

ScanMail eManager also allows controlling the purview of emails which means that it makes it possible to reject messages with offensive content or those including marketing information from unwanted sources. The purview filter uses conceptionally linked words and phrases searched for in incoming email. Network Administrators may use pre-defined rules for the content filter provided by Trend Micro corporation, however it is recommended to create your own sets of rules, e.g. for the Polish language.

In order to use the eManager module it is necessary to have a server with both MS Exchange and ScanMail software core installed. The module is provided with a function of automatic update of filtering rules and of viewing profound logs created when operating.

The latest edition of the eManager module, i.e. version 5.11, had Microsoft .NET support implemented and its efficiency was improved, which means less load for the CPU. In addition, Control Manager support was implemented, too, so that coordinating, tracing and running anti-virus software installed in the network is possible with the use of this centralized administration console.

Fig 11: Scheme ofScanMail Exchange operation

MicroTrend Manager requirements

The MicroTrend Manager minimum requirements depend on the MS Exchange version you use.

Installing eManager

Before installing the eManager module you have to equip the chosen server with the core ScanMail for MS Exchange software. You have to bear in mind that the email server should be Service Pack 1 updated, however eManager itself doesn’t have to be installed on the same system where ScanMail Management Console (i.e. the administrative interface) is.

The whole module may be installed on a local or remote host with the use of one, user-friendly installing program which supports simultaneous installations on multiple servers, making the introduction of the software in the whole company much quicker.

In order to update or delete the eManager module it is necessary to disable ScanMail for MS Exchange. When done, simply reopen ScanMail which will be run as a system service, therefore you should use the system’s administrative tools applet; ScanMail_Monitor, ScanMail_Web and ScanMail_RealTimeScan services, to be precise. The installation should be carried through from an account with the authorizations of a domain administrator. The software may also be installed on an MS Cluster Server in one installation session.

Basic configuration

Having installed the product, make sure that the target directory of the ScanMail eManager module is shared with the administrator’s authorizations. The directory’s default location is:

...\Program Files\Trend\SMCF

Afterwards, define rules of message filtering and what you want to hunt: spam or forbidden content. The configuration files are placed in the mentioned directory. Their names are: contscan.ini and csconfig.dat. Moreover, the ...\Program Files\Trend\SMCF directory contains contscan.txt, spamrule.txt, AntiSpam.### and Trend$RF.### files where every modification of message filtering rules is logged.

Anti-spam rules may be set up in two ways: either to block mails which don’t fulfill certain requirements or to let some of them through. It is possible, for example, to create a rule which would block any mail exceeding a certain size limit, and a global exceptional rule which would allow the company’s boss to send or receive messages of unlimited size as the only user of the network. Boolean expressions might be used by eManager for defining actions to be taken after certain conditions are fulfilled. Two types of rules are distinguished in the eManager module: regular and exceptional rules. Every of the configuration options applies to both types of rules, nevertheless the actions taken when a message fulfills the defined conditions are different for the two types of rules. A message doing with a regularrule may be deleted, quarantined (i.e. transferred to a specified directory) or archived (i.e. sent to the recipient and copied to a specified copies folder). The Exceptional rules allow some condition-fulfilling messages to be sent to their recipients with simultaneous archiving. The rules setup process takes place in the Anti-Spam tab. The number of definable rules is unlimited, so you may modify the module to meet all of your needs.

Fig 12: Setting up different rules

Fig 13: Keyword requirements for quarantine

Fig 14: Checking the log files

Fig 15: Analyzing the mail header fields

Numerous methods of message filtering have been introduced in this software:

Using eManager’s keyword and anti-keyword lists which allow deciding whether a specified email containing certain words is or isn’t spam.

Trend Micro ScanMail eManager. A summary.

Trend Micro ScanMail eManager for Microsoft Exchange equipped with an eManager module is a very interesting and composite solution. Not only does it provide spam protection, but it also allows you to filter mail with forbidden and unwanted purview and to limit abuses such as virus and Trojan horse sending as well as spreading other malicious software or enormous attachments which jam mailboxes. Moreover, the software is easy-to-install and configure, therefore introducing it in a company and installing it on the company’s servers should be a quick process. What’s disadvantageous about Trend Micro’s solutions, this software doesn’t operate on a MS Exchange 2003 mail server which will win its popularity in the nearest future. Nonetheless, those who are still using previous versions of MS Exchange will be fully contented with this software.6th May Update: Trend Micro ScanMail eManager now supports Microsoft Exchange 2003

Final comparison

At the present time there are numerous methods of preventing spam email from being relayed. The reader is left to ponder which of these methods is the most effective. There are many available software solutions to select from. But before you go through with the purchase, you will want to take in depth look at the mechanisms of the message analysis, find new ways to get junk mail through your filters and then need to find new ways to prevent them.

Featured Links

Online Survey: The Definitive State of Load Balancing and High Availability

MSExchange.org, KEMP Technologies and numerous MSFT and VMware experts worldwide would like to invite you to participate in our confidential 6 question survey on Load Balancing and High Availability. This survey takes about 6 minutes and all participants who wish can leave their email address and register to win a $50 Amazon gift certificate.

The results of this survey will be used to create a white paper on the State of Load Balancing. Everyone who registers will also get a copy of the white paper.

Exchange Online Protection Quarantine (Part 4)

In the previous part of this article series, we looked at quarantined messages from the perspective of an end user. In this final part we will look at how to manage quarantined messages through PowerShell... Read More